If you are using distributed virtual switches, some specific network security configurations can be managed only from the most advanced settings. For example, to enable the Bridge Protocol Data Unit (BPDU) filter, you must use a host advanced setting, Net.BlockGuestBPDU, as described in KB 2047822: Understanding the BPDU Filter feature in vSphere, at https://kb.vmware.com/kb/2047822.

Of course, the security policies (promiscuous mode, MAC address change, and forge packets) for the virtual switches are still relevant, but for distributed virtual switches, they are all rejected by default (starting with vSphere 5.1).

Virtual switches do not provide firewall functions (ESXi personal firewall works only on VMkernel ports); to implement micro-segmentation, you need solutions such as NSX, although you can achieve some necessary protection using filtering rules on the distributed vSwitch.